<?xml version="1.0" encoding="iso-8859-1" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content=
    "application/xhtml+xml; charset=iso-8859-1" />
    <title>
      p11-kit-0.23.20
    </title>
    <link rel="stylesheet" type="text/css" href="../stylesheets/lfs.css" />
    <meta name="generator" content="DocBook XSL Stylesheets V1.79.1" />
    <link rel="stylesheet" href="../stylesheets/lfs-print.css" type=
    "text/css" media="print" />
  </head>
  <body class="blfs" id="blfs-9.1">
    <div class="navheader">
      <h4>
        Beyond Linux<sup>�</sup> From Scratch <span class="phrase">(System
        V</span> Edition) - Version 9.1
      </h4>
      <h3>
        Chapter&nbsp;4.&nbsp;Security
      </h3>
      <ul>
        <li class="prev">
          <a accesskey="p" href="openssh.html" title="OpenSSH-8.2p1">Prev</a>
          <p>
            OpenSSH-8.2p1
          </p>
        </li>
        <li class="next">
          <a accesskey="n" href="polkit.html" title="Polkit-0.116">Next</a>
          <p>
            Polkit-0.116
          </p>
        </li>
        <li class="up">
          <a accesskey="u" href="security.html" title=
          "Chapter&nbsp;4.&nbsp;Security">Up</a>
        </li>
        <li class="home">
          <a accesskey="h" href="../index.html" title=
          "Beyond Linux� From Scratch     (System V Edition) - Version 9.1">Home</a>
        </li>
      </ul>
    </div>
    <div class="sect1" lang="en" xml:lang="en">
      <h1 class="sect1">
        <a id="p11-kit" name="p11-kit"></a>p11-kit-0.23.20
      </h1>
      <div class="package" lang="en" xml:lang="en">
        <h2 class="sect2">
          Introduction to p11-kit
        </h2>
        <p>
          The <span class="application">p11-kit</span> package provides a way
          to load and enumerate PKCS #11 (a Cryptographic Token Interface
          Standard) modules.
        </p>
        <p>
          This package is known to build and work properly using an LFS-9.1
          platform.
        </p>
        <h3>
          Package Information
        </h3>
        <div class="itemizedlist">
          <ul class="compact">
            <li class="listitem">
              <p>
                Download (HTTP): <a class="ulink" href=
                "https://github.com/p11-glue/p11-kit/releases/download/0.23.20/p11-kit-0.23.20.tar.xz">
                https://github.com/p11-glue/p11-kit/releases/download/0.23.20/p11-kit-0.23.20.tar.xz</a>
              </p>
            </li>
            <li class="listitem">
              <p>
                Download MD5 sum: c9b3076475c6a57ca62005c43e77cd64
              </p>
            </li>
            <li class="listitem">
              <p>
                Download size: 804 KB
              </p>
            </li>
            <li class="listitem">
              <p>
                Estimated disk space required: 46 MB (add 169 MB for tests)
              </p>
            </li>
            <li class="listitem">
              <p>
                Estimated build time: 0.4 SBU (add 0.6 SBU for tests)
              </p>
            </li>
          </ul>
        </div>
        <h3>
          p11-kit Dependencies
        </h3>
        <h4>
          Recommended
        </h4>
        <p class="recommended">
          <a class="xref" href="../general/libtasn1.html" title=
          "libtasn1-4.16.0">libtasn1-4.16.0</a> and <a class="xref" href=
          "make-ca.html" title="make-ca-1.5">make-ca-1.5</a> (runtime)
        </p>
        <h4>
          Optional
        </h4>
        <p class="optional">
          <a class="xref" href="../general/gtk-doc.html" title=
          "GTK-Doc-1.32">GTK-Doc-1.32</a>, <a class="xref" href=
          "../general/libxslt.html" title=
          "libxslt-1.1.34">libxslt-1.1.34</a>, and <a class="xref" href=
          "nss.html" title="NSS-3.50">NSS-3.50</a> (runtime)
        </p>
        <p class="usernotes">
          User Notes: <a class="ulink" href=
          "http://wiki.linuxfromscratch.org/blfs/wiki/p11-kit">http://wiki.linuxfromscratch.org/blfs/wiki/p11-kit</a>
        </p>
      </div>
      <div class="installation" lang="en" xml:lang="en">
        <h2 class="sect2">
          Installation of p11-kit
        </h2>
        <p>
          Prepare the distribution specific anchor hook:
        </p>
        <pre class="userinput">
<kbd class="command">sed '20,$ d' -i trust/trust-extract-compat.in &amp;&amp;
cat &gt;&gt; trust/trust-extract-compat.in &lt;&lt; "EOF"
<code class="literal"># Copy existing anchor modifications to /etc/ssl/local
/usr/libexec/make-ca/copy-trust-modifications

# Generate a new trust store
/usr/sbin/make-ca -f -g</code>
EOF</kbd>
</pre>
        <p>
          Install <span class="application">p11-kit</span> by running the
          following commands:
        </p>
        <pre class="userinput">
<kbd class="command">./configure --prefix=/usr     \
            --sysconfdir=/etc \
            --with-trust-paths=/etc/pki/anchors &amp;&amp;
make</kbd>
</pre>
        <p>
          To test the results, issue: <span class="command"><strong>make
          check</strong></span>. Many tests will fail if the test suite is
          run as the <code class="systemitem">root</code> user.
        </p>
        <p>
          Now, as the <code class="systemitem">root</code> user:
        </p>
        <pre class="root">
<kbd class="command">make install &amp;&amp;
ln -sfv /usr/libexec/p11-kit/trust-extract-compat \
        /usr/bin/update-ca-certificates</kbd>
</pre>
      </div>
      <div class="commands" lang="en" xml:lang="en">
        <h2 class="sect2">
          Command Explanations
        </h2>
        <p>
          <em class=
          "parameter"><code>--with-trust-paths=/etc/pki/anchors</code></em>:
          this switch sets the location of trusted certificates used by
          libp11-kit.so.
        </p>
        <p>
          <code class="option">--with-hash-impl=freebl</code>: Use this
          switch if you want to use the Freebl library from <span class=
          "application">NSS</span> for SHA1 and MD5 hashing.
        </p>
        <p>
          <code class="option">--enable-doc</code>: Use this switch if you
          have installed <a class="xref" href="../general/gtk-doc.html"
          title="GTK-Doc-1.32">GTK-Doc-1.32</a> and <a class="xref" href=
          "../general/libxslt.html" title="libxslt-1.1.34">libxslt-1.1.34</a>
          and wish to rebuild the documentation and generate manual pages.
        </p>
      </div>
      <div class="configuration" lang="en" xml:lang="en">
        <h2 class="sect2">
          Configuring p11-kit
        </h2>
        <p>
          The <span class="application">p11-kit</span> trust module
          (<code class="filename">/usr/lib/pkcs11/p11-kit-trust.so</code>)
          can be used as a drop-in replacement for <code class=
          "filename">/usr/lib/libnssckbi.so</code> to transparently make the
          system CAs available to <span class="application">NSS</span> aware
          applications, rather than the static list provided by <code class=
          "filename">/usr/lib/libnssckbi.so</code>. As the <code class=
          "systemitem">root</code> user, execute the following commands:
        </p>
        <pre class="root">
<kbd class=
"command">ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</kbd>
</pre>
      </div>
      <div class="content" lang="en" xml:lang="en">
        <h2 class="sect2">
          Contents
        </h2>
        <div class="segmentedlist">
          <div class="seglistitem">
            <div class="seg">
              <strong class="segtitle">Installed Programs:</strong>
              <span class="segbody">p11-kit, trust, and
              update-ca-certificates</span>
            </div>
            <div class="seg">
              <strong class="segtitle">Installed Libraries:</strong>
              <span class="segbody">libp11-kit.so and p11-kit-proxy.so</span>
            </div>
            <div class="seg">
              <strong class="segtitle">Installed Directories:</strong>
              <span class="segbody">/etc/pkcs11, /usr/include/p11-kit-1,
              /usr/lib/pkcs11, /usr/libexec/p11-kit,
              /usr/share/gtk-doc/html/p11-kit, and /usr/share/p11-kit</span>
            </div>
          </div>
        </div>
        <div class="variablelist">
          <h3>
            Short Descriptions
          </h3>
          <table border="0" class="variablelist">
            <colgroup>
              <col align="left" valign="top" />
              <col />
            </colgroup>
            <tbody>
              <tr>
                <td>
                  <p>
                    <a id="p11-kit-prog" name="p11-kit-prog"></a><span class=
                    "term"><span class=
                    "command"><strong>p11-kit</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is a command line tool that can be used to perform
                    operations on PKCS#11 modules configured on the system.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="trust" name="trust"></a><span class=
                    "term"><span class=
                    "command"><strong>trust</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is a command line tool to examine and modify the shared
                    trust policy store.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="update-ca-certificates" name=
                    "update-ca-certificates"></a><span class=
                    "term"><span class=
                    "command"><strong>update-ca-certificates</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is a command line tool to both extract local certificates
                    from an updated anchor store, and regenerate all anchors
                    and certificate stores on the system. This is done
                    unconditionally on BLFS using the <em class=
                    "parameter"><code>--force</code></em> and <em class=
                    "parameter"><code>--get</code></em> flags to <span class=
                    "command"><strong>make-ca</strong></span> and should
                    likely not be used for automated updates.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="libp11-kit" name="libp11-kit"></a><span class=
                    "term"><code class="filename">libp11-kit.so</code></span>
                  </p>
                </td>
                <td>
                  <p>
                    contains functions used to coordinate initialization and
                    finalization of any PKCS#11 module.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="p11-kit-proxy" name=
                    "p11-kit-proxy"></a><span class="term"><code class=
                    "filename">p11-kit-proxy.so</code></span>
                  </p>
                </td>
                <td>
                  <p>
                    is the PKCS#11 proxy module.
                  </p>
                </td>
              </tr>
            </tbody>
          </table>
        </div>
      </div>
      <p class="updated">
        Last updated on 2020-02-15 08:54:30 -0800
      </p>
    </div>
    <div class="navfooter">
      <ul>
        <li class="prev">
          <a accesskey="p" href="openssh.html" title="OpenSSH-8.2p1">Prev</a>
          <p>
            OpenSSH-8.2p1
          </p>
        </li>
        <li class="next">
          <a accesskey="n" href="polkit.html" title="Polkit-0.116">Next</a>
          <p>
            Polkit-0.116
          </p>
        </li>
        <li class="up">
          <a accesskey="u" href="security.html" title=
          "Chapter&nbsp;4.&nbsp;Security">Up</a>
        </li>
        <li class="home">
          <a accesskey="h" href="../index.html" title=
          "Beyond Linux� From Scratch     (System V Edition) - Version 9.1">Home</a>
        </li>
      </ul>
    </div>
  </body>
</html>
